Data-Stealing Ransomware App Found in Official Google Play Store

An app hosted by Google Play turns out to have had ransomware hidden inside of it, which infected at least one unsuspecting Android user.

The zero-day mobile ransomware, which also steals users’ data, was dubbed Charger by researchers at Check Point, a cybersecurity firm which that detected its existence. Charger was found embedded in Energy Rescue, a purported battery-saving app.

Once Charger successfully insinuated itself into the Android device, it stole contacts and SMS messages, and tricked the user into unwittingly granting it administrator rights. Once it received admin rights, the infected app would lock the device and display the following ransom note:

“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”

The cybercriminals behind Charger demanded 0.2 Bitcoin, worth around $180, in exchange for returning the files and unlocking the hijacked device. The malicious agents behind the ransomware attack haven’t been identified yet, but Check Point has observed that Charger doesn’t function in Ukraine, Russia, or Belarus, which suggests they may be based in one or all of those countries. Malware developers adopt this protocol to avoid prosecution in their own countries.

This isn’t the first ransomware-infected app to have been discovered in the Google Play store. Last October, for example over 400 apps on the Google Play store were found to contain the Dresscode Trojan malware. Earlier this month, Check Point discovered a variant of the HummingBad family of malware hidden in a score of Google Play apps that were downloaded by millions.

What sets Charger apart from other malware, according to Check Point researchers, is that it used several advanced techniques to evade detection, such as encoding string into binary arrays and loading code from encrypted resources dynamically. While most Google Play malware contains a dropper that delivers malicious code to the device later, Charger adopted a more aggressive and direct approach, hiding within the official Google Play store. Finally, the payment demanded was also much higher than the typical ransom fee.